Репозиторий Sisyphus
Последнее обновление: 1 октября 2023 | Пакетов: 18631 | Посещений: 37620481
en ru br
Репозитории ALT
S:0.2.8.4-alt13
5.1: 0.2.8.4-alt7
4.1: 0.2.8.4-alt3
4.0: 0.2.8.4-alt3
3.0: 0.2.8.3-alt2
www.altlinux.org/Changes

Группа :: Работа с текстами
Пакет: libwmf

 Главная   Изменения   Спек   Патчи   Sources   Загрузить   Gear   Bugs and FR  Repocop 

Патч: libwmf-0.2.8.3-CAN-2004-0941.patch
Скачать

--- libwmf-0.2.8.3/src/extra/gd/gd_security.c.can-2004-0941	2006-06-29 06:59:12.287496990 -0600
+++ libwmf-0.2.8.3/src/extra/gd/gd_security.c	2006-06-29 06:59:12.287496990 -0600
@@ -0,0 +1,29 @@
+/*
+   * gd_security.c
+   *
+   * Implements buffer overflow check routines.
+   *
+   * Written 2004, Phil Knirsch.
+   * Based on netpbm fixes by Alan Cox.
+   *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include "gd.h"
+
+int overflow2(int a, int b)
+{
+	if(a < 0 || b < 0) {
+		fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
+		return 1;
+	}
+	if(b == 0)
+		return 0;
+	if(a > INT_MAX / b) {
+		fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
+		return 1;
+	}
+	return 0;
+}
--- libwmf-0.2.8.3/src/extra/gd/wbmp.c.can-2004-0941	2001-05-19 07:09:34.000000000 -0600
+++ libwmf-0.2.8.3/src/extra/gd/wbmp.c	2006-06-29 06:59:12.287496990 -0600
@@ -116,6 +116,14 @@ createwbmp (int width, int height, int c
   if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
     return (NULL);
 
+  if (overflow2(sizeof (int), width)) {
+     gdFree(wbmp);
+     return (NULL);
+  }
+  if (overflow2(sizeof (int) * width, height)) {
+     gdFree(wbmp);
+     return (NULL);
+  }
   if ((wbmp->bitmap = (int *) gdMalloc (sizeof (int) * width * height)) == NULL)
     {
       gdFree (wbmp);
@@ -176,6 +184,12 @@ readwbmp (int (*getin) (void *in), void 
   printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
 #endif
 
+  if (overflow2(sizeof (int), wbmp->width) ||
+    overflow2(sizeof (int) * wbmp->width, wbmp->height))
+    {
+      gdFree(wbmp);
+      return (-1);
+    }
   if ((wbmp->bitmap = (int *) gdMalloc (sizeof (int) * wbmp->width * wbmp->height)) == NULL)
     {
       gdFree (wbmp);
--- libwmf-0.2.8.3/src/extra/gd/gd_topal.c.can-2004-0941	2001-05-19 07:09:34.000000000 -0600
+++ libwmf-0.2.8.3/src/extra/gd/gd_topal.c	2006-06-29 06:59:12.288496809 -0600
@@ -669,6 +669,9 @@ select_colors (gdImagePtr im, my_cquanti
   int i;
 
   /* Allocate workspace for box list */
+  if (overflow2(desired_colors, sizeof (box))) {
+    return;
+  }
   boxlist = (boxptr) gdMalloc (desired_colors * sizeof (box));
   /* Initialize one box containing whole space */
   numboxes = 1;
--- libwmf-0.2.8.3/src/extra/gd/gd_io_dp.c.can-2004-0941	2001-05-19 07:09:34.000000000 -0600
+++ libwmf-0.2.8.3/src/extra/gd/gd_io_dp.c	2006-06-29 06:59:12.288496809 -0600
@@ -185,6 +185,9 @@ dynamicSeek (struct gdIOCtx *ctx, const 
   bytesNeeded = pos;
   if (bytesNeeded > dp->realSize)
     {
+      if (overflow2(dp->realSize, 2)) {
+        return FALSE;
+      }
       if (!gdReallocDynamic (dp, dp->realSize * 2))
 	{
 	  dp->dataGood = FALSE;
@@ -356,6 +359,9 @@ appendDynamic (dynamicPtr * dp, const vo
 
   if (bytesNeeded > dp->realSize)
     {
+      if (overflow2(dp->realSize, 2)) {
+        return FALSE;
+      }
       if (!gdReallocDynamic (dp, bytesNeeded * 2))
 	{
 	  dp->dataGood = FALSE;
--- libwmf-0.2.8.3/src/extra/gd/Makefile.am.can-2004-0941	2006-06-29 07:06:37.525017191 -0600
+++ libwmf-0.2.8.3/src/extra/gd/Makefile.am	2006-06-29 07:07:12.413710434 -0600
@@ -22,7 +22,7 @@ libgd_la_SOURCES = gd.c gd_gd.c gd_gd2.c
 		gd_io_file.c gd_ss.c gd_io_ss.c gd_png.c gd_jpeg.c gdxpm.c \
 		gdfontt.c gdfonts.c gdfontmb.c gdfontl.c gdfontg.c \
 		gdtables.c gdft.c gdcache.c gdkanji.c wbmp.c \
-		gd_wbmp.c gdhelpers.c gd_topal.c gd_clip.c
+		gd_wbmp.c gdhelpers.c gd_topal.c gd_clip.c gd_security.c
 
 gddir = $(includedir)/libwmf/gd
 
--- libwmf-0.2.8.3/src/extra/gd/gd.c.can-2004-0941	2002-12-05 13:09:11.000000000 -0700
+++ libwmf-0.2.8.3/src/extra/gd/gd.c	2006-06-29 06:59:12.289496628 -0600
@@ -1865,6 +1865,12 @@ gdImageCopyResized (gdImagePtr dst, gdIm
   int *sty;
   /* We only need to use floating point to determine the correct
      stretch vector for one line's worth. */
+  if (overflow2(sizeof (int), srcW)) {
+    return;
+  }
+  if (overflow2(sizeof (int), srcH)) {
+    return;
+  }
   double accum;
   stx = (int *) gdMalloc (sizeof (int) * srcW);
   sty = (int *) gdMalloc (sizeof (int) * srcH);
@@ -2277,6 +2283,9 @@ gdImageFilledPolygon (gdImagePtr im, gdP
     }
   if (!im->polyAllocated)
     {
+      if (overflow2(sizeof (int), n)) {
+        return;
+      }
       im->polyInts = (int *) gdMalloc (sizeof (int) * n);
       im->polyAllocated = n;
     }
@@ -2371,6 +2380,9 @@ gdImageSetStyle (gdImagePtr im, int *sty
     {
       gdFree (im->style);
     }
+  if (overflow2(sizeof (int), noOfPixels)) {
+    return;
+  }
   im->style = (int *)
     gdMalloc (sizeof (int) * noOfPixels);
   memcpy (im->style, style, sizeof (int) * noOfPixels);
 
дизайн и разработка: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
текущий майнтейнер: Michael Shigorin